CNIT 126 5: IDA Pro
Transcript of CNIT 126 5: IDA Pro
![Page 1: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/1.jpg)
Practical Malware AnalysisCh 5: IDA Pro
Last modified 2-6-16
![Page 2: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/2.jpg)
IDA Pro Versions
• Full-featured pay version • Old free version – Both support x86 – Pay version supports x64 and other
processors, such as cell phone processors
• Both have code signatures for common library code in FLIRT (Fast Library identification and Recognition Technology)
![Page 3: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/3.jpg)
Graph and Text Mode
• Spacebarswitchesmode
![Page 4: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/4.jpg)
Default Graph Mode Display
![Page 5: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/5.jpg)
Options, General
![Page 6: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/6.jpg)
Better Graph Mode View
![Page 7: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/7.jpg)
Arrows
• Colors – Red Conditional jump not taken – Green Conditional jump taken – Blue Unconditional jump
• Direction – Up Loop
![Page 8: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/8.jpg)
Arrow Color Example
![Page 9: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/9.jpg)
Highlighting
• Highlighting text in graph mode highlights every instance of that text
![Page 10: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/10.jpg)
Text ModeArrows Solid = Unconditional Dashed = Conditional Up = Loop
Section
Address
Comment Generated by
IDA Pro
![Page 11: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/11.jpg)
Options, General
![Page 12: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/12.jpg)
Adds Comments to Each Instruction
![Page 13: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/13.jpg)
Useful Windows for Analysis
![Page 14: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/14.jpg)
Functions
• Shows each function, length, and flags – L = Library functions
• Sortable – Large functions usually more important
![Page 15: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/15.jpg)
Names Window
• Every address with a name – Functions, named code, named data, strings
![Page 16: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/16.jpg)
Strings
![Page 17: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/17.jpg)
Imports & Exports
![Page 18: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/18.jpg)
Structures
• All active data structures – Hover to see yellow pop-up window
![Page 19: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/19.jpg)
Cross-Reference• Double-
click function
• Jump to code in other views
![Page 20: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/20.jpg)
Function Call
• Parameters pushed onto stack • CALL to start function
![Page 21: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/21.jpg)
Returning to the Default View
• Windows, Reset Desktop • Windows, Save Desktop – To save a new view
![Page 22: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/22.jpg)
Navigating IDA Pro
![Page 23: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/23.jpg)
Imports or Strings
• Double-click any entry to display it in the disassembly window
![Page 24: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/24.jpg)
Using Links
• Double-click any address in the disassembly window to display that location
![Page 25: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/25.jpg)
History
• Forward and Back buttons work like a Web browser
![Page 26: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/26.jpg)
Navigation Band
• Light blue: Library code • Red: Compiler-generated code • Dark blue: User-written code – Analyze
this
![Page 27: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/27.jpg)
Jump to Location
• Press G • Can jump to address or named location
![Page 28: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/28.jpg)
Searching
• Many options • Search, Text is
handy
![Page 29: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/29.jpg)
Using Cross-References
![Page 30: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/30.jpg)
Code Cross-References
• XREF comment shows where this function is called
• But it only shows a couple of cross-references by default
![Page 31: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/31.jpg)
To See All Cross-References
• Click function name and press X
![Page 32: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/32.jpg)
Data Cross-References
• Demo: – Start with strings – Double-click an interesting string – Hover over DATA XREF to see where that
string is used – X shows all references
![Page 33: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/33.jpg)
Analyzing Functions
![Page 34: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/34.jpg)
Function and Argument Recognition
• IDA Pro identifies a function, names it, and also names the local variables
• It's not always correct
![Page 35: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/35.jpg)
Using Graphing Options
![Page 36: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/36.jpg)
Graphing Options
+
![Page 37: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/37.jpg)
Graphing Options
• These are "Legacy Graphs" and cannot be manipulated with IDA
• The first two seem obsolete – Flow chart • Create flow chart of current function
– Function calls • Graph function calls for entire program
![Page 38: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/38.jpg)
Graphing Options
• Xrefs to – Graphs XREFs to get to selected XREF – Can show all the paths that get to a
function
![Page 39: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/39.jpg)
Windows Genuine Status in Calc.exe
![Page 40: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/40.jpg)
Graphing Options
• Xrefs from – Graphs XREFs from selected XREF – Can show all the paths that exit from a
function
![Page 41: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/41.jpg)
Graphing Options
• User xrefs chart... – Customize graph's recursive depth, symbols
used, to or from symbol, etc. – The only way to modify legacy graphs
![Page 42: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/42.jpg)
Enhancing Disassembly
![Page 43: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/43.jpg)
Warning
• There's no Undo, so if you make changes and mess them up, you may be sorry
![Page 44: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/44.jpg)
Renaming Locations
• You can change a name like sub_401000 to ReverseBackdoorThread
• Change it in one place, IDA will change it everywhere else
![Page 45: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/45.jpg)
![Page 46: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/46.jpg)
Comments
• Press colon (:) to add a single comment • Press semicolon (;) to echo this comment
to all Xrefs
![Page 47: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/47.jpg)
Formatting Operands
• Hexadecimal by default • Right-click to use other formats
![Page 48: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/48.jpg)
Using Named Constants
• Makes Windows API arguments clearer
![Page 49: CNIT 126 5: IDA Pro](https://reader030.fdocuments.net/reader030/viewer/2022020212/589a18f51a28ab2a678b5339/html5/thumbnails/49.jpg)
Extending IDA with Plug-ins
• IDC (IDA's scripting language) and Python scripts available (link Ch 6a)